Commit a1622524 authored by Birte Kristina Friesel's avatar Birte Kristina Friesel
Browse files

imlib.c: Use wget --no-clobber 

This prevents a (highly unlikely) case of an attacker knowing feh's PID and
the user's URL rewriting user files by means of a TOCTTOU attack.

It is still possible to _create_ arbitrary files via dangling symlinks. That
will be fixed once I switch from wget to libcurl.
(cherry picked from commit 23421a86)

Conflicts:

	ChangeLog
parent 3bd5012d

src/imlib.c

+2 −1
Original line number Diff line number Diff line
@@ -453,7 +453,8 @@ char *feh_http_load_image(char *url) 
			if (!opt.verbose)

				quiet = estrdup("-q");



			execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL);

			execlp("wget", "wget", "--no-clobber", "--cache=off",

					"-O", tmpname, url, quiet, NULL);

			eprintf("url: Is 'wget' installed? Failed to exec wget:");

		} else {

			waitpid(pid, &status, 0);